b'           ENFORCEMENT OF SBA\xe2\x80\x99S INFORMATION TECHNOLOGY\n         ENTERPRISE ARCHITECTURE DURING THE DEVELOPMENT OF\n              THE DISASTER CREDIT MANAGEMENT SYSTEM\n\n                              AUDIT REPORT NUMBER 4-14\n\n                                      MARCH 2, 2004\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                        U.S. SMALL BUSINESS ADMINISTRATION\n                           OFFICE OF INSPECTOR GENERAL\n                               WASHINGTON, D.C. 20416\n\n\n                                                                    AUDIT REPORT\n                                                             Issue Date: March 2, 2004\n                                                             Number: 4-14\n\n\nTo:            Stephen D. Galvan\n               Chief Information Officer\n\n               /s/ Original signed\nFrom:          Robert G. Seabrooks\n               Assistant Inspector General for Auditing\n\nSubject:       Enforcement of SBA\xe2\x80\x99s Information Technology Enterprise Architecture during\n               the Development of the Disaster Credit Management System\n\n        SBA\xe2\x80\x99s Office of Disaster Assistance (ODA) desires to improve the delivery of its disaster\nloan origination and servicing activities through the Disaster Credit Management System\n(DCMS) initiative. The Office of Inspector General is monitoring the DCMS project to ensure\nthat the system developed and implemented will meet SBA standards for security, integrity,\navailability and also meet SBA\xe2\x80\x99s system development methodology guidelines. This is our\nsecond report in a series of reports and it presents issues regarding SBA\xe2\x80\x99s Information\nTechnology- Enterprise Architecture (IT-EA) enforcement that have been identified since our\nreview started in May 2003. SBA\xe2\x80\x99s attention is needed to address actual enforcement of the IT-\nEA during the systems development process.\n\n                                        BACKGROUND\n\n        ODA is the primary provider of low interest, long term loans to renters, homeowners,\nnonprofit organizations, and businesses of all sizes to rebuild after a disaster. The performance\nof ODA is vital to SBA\xe2\x80\x99s strategic goal of helping businesses and families recover from\ndisasters. Currently, ODA operates the Automated Loan Control System (ALCS) to process\ndisaster loan assistance. ALCS is a distributed system which is in operation at the four Disaster\nArea Offices and utilizes a mix of mainframe and microcomputer capabilities. The primary\nimpetus of DCMS is to implement a Commercial-Off- The-Shelf (COTS) solution intended to\nprovide more features, better usability, improved reliability and maintainability, better\nperformance, and better security than either the current ALCS system or a custom developed\nsystem. This is planned to be accomplished by purchasing an existing software package and\ntailoring the software to meet SBA\xe2\x80\x99s business rules.\n\x0c        SBA\xe2\x80\x99s IT-EA identifies SBA\xe2\x80\x99s mission, the information necessary to perform the\nmission, the technology necessary for mission support, and the processes for implementing new\ntechnologies in response to changing business needs. It establishes an organization-wide\nroadmap for achieving optimal performance of mission-critical business processes within an\nefficient information technology environment. The SBA IT-EA is also supposed to provide\ndiscipline and a controlled process for modernizing information systems, developing new\nsystems and implementing new IT technologies that optimize system performance.\n\n                      OBJECTIVES, SCOPE AND METHODOLOGY\n\n         The objectives of our audit are to determine if SBA\xe2\x80\x99s implementation of DCMS (1)\nprovides adequate safeguards, controls and testing before DCMS is placed into a production\nstatus, and (2) complies with overall objectives of the SBA IT-EA. This ongoing audit identifies\nissues which may cause undue risk to the DCMS project as they arise. Due to the critical time\nframes for implementation of DCMS, it is anticipated that corrective actions will occur promptly\nto reduce the level of residual risk to the project. To accomplish our objectives, we reviewed\nSBA\xe2\x80\x99s DCMS project materials and interviewed SBA and contractor personnel. Fieldwork was\nperformed at SBA\xe2\x80\x99s Central Office in Washington, D.C. from July through December 2003. The\naudit was conducted in accordance with generally accepted Government Auditing Standards.\n\n                                      AUDIT RESULTS\n\n        Based on our review, ODA has followed a disciplined planning process and has strong\nmanagement oversight of the DCMS project. After our initial audit report was issued, ODA\nincreased its awareness and efforts to implement security and provide systems development\noversight. Additionally, the Office of the Chief Information Officer (OCIO) provided more\nproactive oversight of the DCMS project. We did find, however, the need for the OCIO to more\nadequately enforce SBA\xe2\x80\x99s IT-EA standards for the DCMS project.\n\nFinding 1:    SBA did not adequately enforce its Enterprise Architecture\n\n        SBA had not adequately enforced its IT-EA during the initial phase of the development\nof the DCMS project. This occurred because at the time the DCMS project was initiated, OCIO\ndid not believe it had the authority within SBA to enforce SBA\xe2\x80\x99s IT-EA and had not formulated\na strategy to enforce SBA\xe2\x80\x99s IT-EA during system development projects. As a result, certain\naspects of DCMS, including the planning to implement a new Virtual Private Network for ODA,\nadoption of certain middleware capabilities to communicate between DCMS and the SBA\nmainframe systems, and the adoption of DCMS scanning software, were initiated without prior\nOCIO review and full concurrence.\n\n        Executive Order 13011 established the Chief Information Officer (CIO) and gave the\nCIO the visibility and management responsibilities necessary to advise the agency head on the\ndesign, development, and implementation of the Agency\xe2\x80\x99s information systems. CIO\nresponsibilities include: (1) participating in the investment review process for information\nsystems; (2) monitoring and evaluating the performance of those information systems on the\n\n\n\n\n                                               2\n\x0cbasis of applicable performance measures; and, (3) as necessary, advising the agency head to\nmodify or terminate those systems.\n\n        SBA Information Technology Investment Manual (ITIM) in Section 6.4.1, identified as\npart of the investment review process for ongoing IT projects, that an In-Process Review (IPR)\nshould be conducted. Part of the IPR is identifying that the investment continues to adhere to\ncurrent/planned IT-EA standards.\n\n       SBA issued more rigorous IT-EA standards in May 2003 which require that all IT-EA\nplanned purchases are evaluated by the IT Architecture Review Board (ITARB). However, these\nstandards were not in effect at the beginning of the DCMS project and, therefore, would not have\nbeen in effect at the beginning of the project through May 2003.\n\n       During our initial audit fieldwork for DCMS, OCIO officials identified that ODA was not\nbeing fully forthcoming during systems development life cycle (SDLC) oversight about IT-EA\nsoftware, firmware and hardware that ODA was planning on procuring for DCMS. Specifically,\ninformation not identified included: (1) a planned separate DCMS Virtual Private Network\n(VPN), (2) a middleware product for use in communicating between the DCMS COTS product,\nthe SBA mainframe and the SBA client-server environment, and (3) scanning software that is\nbeing planned for adoption by ODA for DCMS. According to OCIO officials, these products\nwere adopted without full OCIO concurrence and without consideration for SBA\xe2\x80\x99s IT-EA.\n\n       SBA\xe2\x80\x99s initial IT-EA document issued in March 2000 identified that SBA supports two\nWide Area Networks (WAN). One WAN was for general and administrative operations and the\nother WAN was for disaster operations. At that time, the document identified that economies\nmay be realized in a reevaluation of WAN architecture.\n\n       According to ODA officials:\n\n       \xe2\x80\xa2      The planned VPN was only a plan put forth by ODA\xe2\x80\x99s contract developer. The\n              VPN needed to be approved by OCIO and the VPN was put on hold for three\n              weeks while an agreement was reached between OCIO and ODA.\n       \xe2\x80\xa2      The middleware was approved by the CIO in a proof of concept earlier in 2003.\n       \xe2\x80\xa2      The planned scanning software has not been approved by OCIO as it would only\n              be utilized by ODA for the DCMS system at this time.\n\n       We informed both ODA and OCIO that an IPR had not been performed on the DCMS\nwhich at the time between project initiation of September 1999 and May 2003 was the only\nrequirement for IT-EA compliance issued by OCIO.\n\n       We also stressed to ODA that when developing a system, the developing office must\ninclude OCIO on three levels: (1) OCIO Security to certify the security of the planned system,\n(2) OCIO SDLC to oversee and approve the development process, and (3) the OCIO Enterprise\nArchitect to ensure and validate that IT-EA issues are fully reviewed and approved by the\nITARB. We are making no recommendations to ODA at this time due to ODA becoming more\ncognizant of IT-EA issues during our audit.\n\n\n\n                                               3\n\x0cRecommendation:\n\nWe recommend that the Chief Information Officer:\n\n1A.    Perform \xe2\x80\x9cIn-Process Reviews\xe2\x80\x9d for large-scale system development projects as part of the\n       investment review process to ensure that IT Enterprise Architecture standards are\n       enforced.\n\n1B.    Formulate and publish a strategy to provide for more proactive oversight of development\n       projects from an IT Enterprise Architecture perspective.\n\nManagement Response:\n\n         The CIO agreed with both recommendations and stated that OCIO would perform \xe2\x80\x9cIn-\nProcess Reviews\xe2\x80\x9d as part of the Business Technology Investment Council process at the end of\nthe first (DCMS) build cycle. Additionally, OCIO is committed to \xe2\x80\x9cgetting to green\xe2\x80\x9d in\nstrengthening its (IT EA) oversight responsibilities. Further, OCIO published policy notice\n9000-1450 titled \xe2\x80\x9cImplementation of SBA EA Program Policies\xe2\x80\x9d on August 1, 2003. The Chief\nInformation Officer\xe2\x80\x99s entire response less attachments is included as Attachment 1 to our report.\n\nAssessment of Management Response:\n\n       SBA Management\xe2\x80\x99s comments are responsive to the recommendations.\n\n                                              ***\n\n        The findings included in this report are the conclusions of the Auditing Division based\nupon the auditors\xe2\x80\x99 review of planning and project documents from the Disaster Credit\nManagement System related materials. The findings and recommendations are subject to review\nand implementation of corrective action by your office following the existing Agency procedures\nfor audit follow- up and resolution.\n\n       This report may contain proprietary information subject to the provisions of 18 USC\n1905. Do not release to the public or another agency without permission of the Office of\nInspector General.\n\n       Should you or your staff have any questions, please contact Robert G. Hultberg, Director,\nBusiness Development Programs Group at (202) 205-7577.\n\n\n\n\n                                                4\n\x0c^SfSf.\n\n\n                        U.S. SMALL BUSINESS ADMINISTRATION                                ATTACHMENT 1\n                               WASHINGTON, DC 20416\n\n\n                                      February 25, 2004\n\n  To:        Robert G. Seabrooks\n             Assistant Inspector General for Auditing\n\n  From:       Stephan D. Galvan [FOIA Ex. 6]\n              Chief Information Officer\n\n  Subject: Response to IG report, enforcement of SBA\'s EA during the development\n           of the Disaster Credit Management System\n\n        OCIO is responding to your memo dated January 28, 2004, entitled "Enforcement of the SBA\'s\n  Information Technology Enterprise Architecture (EA) during the development of the Disaster Credit\n  Management System." Specifically, OCIO agrees with the two OIG recommendations contained in the\n  draft audit report.\n\n         Formulate and publish a strategy to provide for more proactive oversight of\n         development projects from an IT Enterprise Architect perspective.\n\n  Response:       OCIO has published policy notice 9000-1450 titled "Implementation of SBA EA Program\n                  Policies," which was promulgated August 1, 2003. This policy notice refers to the "SBA\n                  Enterprise Architecture Program Policies and Procedures" and can be found at the\n                  following intranet site: http://ves.sba.gov/ocio/arch.html.\n\n                  As stewards of the EA process, OCIO performs part of its oversight\n                  responsibility as defined in section 5.2.2, "Investment Performance Oversight -\n                  CONTROL PHASE". This section discusses the EA, Business Technology Investment\n                  Council process, and Program Office Investment Board roles in implementing project "m-\n                  Progress Reviews."\n\n                  Finally, OCIO is attaching for OIG review its plan to ensure more effective\n                  oversight called "Plan for Improved Oversight of Office of Disaster Assistance\'s DCMS\n                  Project."\n\n         Perform "In-Progress Reviews" for large -scale system development projects as a part of the\n         investment review process to ensure that IT Enterprise Architecture standards are enforced.\n\n   Response:      As specified in its published policy and standards and implied in the "getting to green"\n                  actions, OCIO is committed to strengthening its oversight responsibilities; For example,\n                  OCIO participates in weekly conference calls with the Disaster Office staffs to discuss the\n                  status of the project and ensure that they are enforcing IT EA standards. We are also\n                  planning to participate in the 1st product review at the end of the current build cycle.\n\x0c                                                                                                            ATTACHMENT 2\n\n                                                 REPORT DISTRIBUTION\n\n\nRecipient                                                                                                 No. of Copies\n\nGeneral Counsel.......................................................................................................3\n\nGeneral Accounting Office ......................................................................................1\n\nAssociate Administrator for Disaster Assistance.....................................................1\n\nOffice of the Chief Financial Officer\n Attention: Jeffrey Brown .....................................................................................1\n\x0c'